Disallow null references in safe code?

Jonathan M Davis jmdavisProg at gmx.com
Sat Feb 1 18:18:09 PST 2014 

On Sunday, February 02, 2014 00:40:16 deadalnix wrote:
> On Saturday, 1 February 2014 at 20:03:40 UTC, Jonathan M Davis
> 
> wrote:
> > In the general case, you can only catch it at compile time if
> > you disallow it
> > completely, which is unnecessarily restrictive.
> 
> That is not accurate. The proposal here propose to make it
> @system instead of disallowing it completely. Even looser, I
> propose to make @system reference passing that can be null
> through interface (function calls/return mostly). So you can use
> null locally, where the compiler can check you do not dereference
> it, and ensure that data coming from somewhere else is not null,
> unless specified as such.

Yes, and making pointers @system is too restrictive. For instance, AAs _rely_ 
on the ability to have nullable pointers. That's how their in operator works. 
The same is likely to go for any in operator that's looking to be efficient. 
Do you propose that the in operator be @system?

It's too restrictive for pointers or references to be @system and making them 
@system under any kind of normal circumstances would be a huge blow to @safe. 
We protect @safe code from problems with pointers and references by 
disallowing unsafe values from being assigned to them and by disallowing 
situations which can result in their valid, safe values becoming invalid, and 
thus unsafe. Passing a pointer to a function should not suddenly make it 
@system. And on top of the considerations for what @safe is supposed to be and 
do, it would be a real pain if an @safe function which initialized a pointer 
with a valid value then ended up with the function it passed that pointer to 
being unsafe just because that function doesn't know whether it was given a 
valid pointer or not, because @safe functions can't call @system functions. If 
we want to make pointers and references safe, it needs to be when their values 
are set, and that needs to include null as an @safe value.

Andrei raised _one_ case where it's possible for a null pointer to access 
memory that it shouldn't - where the object is over 4K (which is ridiculously 
large). If that can cause problems, then maybe having a pointer to an object 
like that could be considered @system, but having int* suddenly be @system 
because of potential null pointers pretty much completely shoots @safe in the 
foot with regards to pointers.

- Jonathan M Davis

More information about the Digitalmars-d mailing list